Import-AzKeyVaultCertificate with -CertificateString throws error

Question

I'm trying to import a self signed PFX certificate (with private key) in Azure Key Vault with the Import-AzKeyVaultCertificate command using the -CertificateString parameter.

But when I run this command I get the following error message:

Import-AzKeyVaultCertificate : The specified PKCS#12 X.509 certificate content can not be read. Please check if certificate is in valid PKCS#12 format. Status: 400 (Bad Request)

I can import the very same PFX certificate manually in Key Vault, without any problems. But I need to do this using -CertificateString for a deployment script.

So I converted my PFX certificate into a Base64 string using PowerShell:

$fileContentBytes = get-content ".\myCert.pfx" -Encoding Byte
[System.Convert]::ToBase64String($fileContentBytes) | Out-File ".\pfx-base64.txt"

Multiple sites showed that this is the way to convert a PFX cert to a Base64 string. One of them is this one: https://learn.microsoft.com/en-us/answers/questions/258583/import-certificate-api-for-azure-key-vault.html

I then use that string in PowerShell like so:

$Secure_String_Pwd = ConvertTo-SecureString "MySecretPassword" -AsPlainText -Force;
Import-AzKeyVaultCertificate -VaultName "MyKeyVault" -Name "cert-signing" -CertificateString "MIIJagIBAzCCCSYGCS.....9oV21QwICB9A=" -Password $Secure_String_Pwd;

I don't understand why its throwing an error. The certificate seems to be fine when I upload it manually. Why doesn't it work in a Base64 form?

Answer 1

I tried to import certificate in my environment.

Here when trying to import certificate , it has to be imported with password. For that the certificate while creating must be set with password so that while importing .pfx certificate private key is secured with password.

In cloud shell while setting up self signed certificate , set with password.

Or check below code from azure - Unable to "Import Certificate" using API in PowerShell - Stack Overflow

Check if the password is sent in correct format and try sending instead converting to securestring.

Ex:

$kvname = "newkaazurekeyvault"
$certname = "kaselfsignedcertific"
$tenantId ="xxxxxxxxx"
$subId="bxxxxxxx"
Connect-AzAccount -Subscription $subscriptionId -Tenant $tenantId

$resource="xxxxx"
$context= Get-AzContext
$token = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account,
 $context.Environment, 
 $context.Tenant.Id.ToString(), 
 $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, $resource).AccessToken

$pfxcontent = Get-Content ‘C:\Users\vxxx\kaazurekeyvault-kaselfsixxx-2xxx.pfx' -Encoding Byte
$base64pfxcontent = [System.Convert]::ToBase64String($pfxcontent)

$json_new = @{
  value= $base64Stringpfxcontent
  pwd= "Pxxx234"
  policy= @{
    secret_props= @{
      contentType= "application/x-pkcs12"
    }
  }
}

$json = $json_new | ConvertTo-Json

$header = @{Authorization = "Bearer " + $token }
Invoke-RestMethod -Method Post -Uri "https://$kvname.vault.azure.net/certificates/$certname/import?api-version=7.0" -Body $json -Headers $header -ContentType "application/json"

So try to Export the certificate in PFX with password

$password = ConvertTo-SecureString "Password!" -AsPlainText -Force

Export-PfxCertificate -Cert "cert:\CurrentUser\My\$($cert.Thumbprint)" -FilePath C:\temp\cert2.pfx -Password $password

Then try to import that pfx certificate using the password.

 Import-AzureKeyVaultCertificate -VaultName tempvault -Name certifcte -FilePath C:\temp\cert.pfx -Password $password

Then the certificate is imported successfully.